Re: VLAN issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Mon, Jan 26, 2015 at 3:50 PM, Gordon Messmer <gordon.messmer@xxxxxxxxx>
wrote:

> On 01/25/2015 04:20 PM, Boris Epstein wrote:
>
>> I have resolved this, finally. The problem was that I configured VLAN 48
>> as
>> the native VLAN on the trunk port.That was a mistake as apparently the
>> native VLAN is the one where Cisco does not bother to tag packets.
>>
>
> That's not a mistake, per se.  Having vlan 48 as the native vlan just
> means that you'd want 192.168.48.100 on eth0 instead of eth0.48.


+1

If it were me, I'd opt for setting the native vlan to 48 for that port.
It's simpler and avoids having vlan1 to deal with.


>
>
>  For now I set the native VLAN to VLAN 1 and that works.
>>
>
> As long as you aren't concerned about the security implications of that
> host having access to vlan 1, that seems pretty reasonable.  The system
> will get some extra broadcast traffic, but the ethernet card will probably
> filter those out so that they don't have to be processed.


Boris could just set what vlans are allowed on the trunk port to his server.
Just allow vlans 48, 49, and 50 and not others

! by default your switch trunks on vlan 1 to 4094
! now to allow it only on the three vlans you specifically specified
(48,49,50)
switchport trunk allowed vlan remove 1-47,51-4094
! if you chose to tell it not to trunk any vlans, you'd disconnect your
telnet/ssh
! session as well as cause a service outage ... so don't do that!
!
! also realize that Cisco smuggles some data via VLAN1 [0], so there still
will likely be traffic on VLAN1
!
! now that port should not be trunking on ALL vlans ... just 48,49,50
show int Gi1/0/3 switchport
show int Gi1/0/3 trunk


As far as security goes ...
Leaving vlan1 usable when it does not need to be is akin to locking most of
the doors at your home, but not all of them.

1) by default (most?) switches have all ports in vlan1 ... so somebody
plugs in a new switch and could potentially communicate with your server.
2) If someone compromises that server, now they have a trunk port to have
lots of fun with (create more vlan interfaces and sniff/spoof traffic).


[0]
https://supportforums.cisco.com/discussion/9118321/disabling-vlan1-across-trunks

-- 
---~~.~~---
Mike
//  SilverTip257  //
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux